Closed yogurtearl closed 1 year ago
In general, do you have dependabot alerts turned on in this repo?
anything that dependabot flags, also, causes issues for us. :) So issuing timely patches for all the dependabot alerts would help us a lot. :)
Yes we have dependabot alerts enabled, and the Semver update PR was merged last month: https://github.com/gradle/gradle-build-action/commit/ce999babab2de1c4b649dc15f0ee67e6246c994f
The fix is available in v2.7.0
I can still see the ^6.3.0
in package-lock.json, but it appears that the version actually used by NPM is the patched version.
I presume that you cannot see the actual security alert in this repository, but here's how it has been resolved:
ah, yeah, ok, I can see it here 👇 . Thanks.
https://github.com/gradle/gradle-build-action/blob/v2.7.0/package-lock.json#L13167-L13171
Thanks for screenshot that helps. (I can't see the dependabot alerts)
The version of
semver
in use has reported vulns ( https://nvd.nist.gov/vuln/detail/CVE-2022-25883 ) : https://github.com/gradle/gradle-build-action/blob/a4cf152f482c7ca97ef56ead29bf08bcd953284c/package-lock.json#L397See https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Upgrade to version with no vulns:
https://security.snyk.io/package/npm/semver